Data Processing and Transfer Terms Agreement (C2P)

The parties acknowledge and agree personal data that originates or resides outside the United States and is transferred to The Church of Jesus Christ of Latter-day Saints, a Utah Corporation sole (“Data Processor”) as a result of its related party affiliate with a Master Reciprocal Services and Data Transfer Agreement (“Data Controller”) are subject to, (i) the terms signed by both parties in which this Data Processing and Transfer Terms Agreement is incorporated by reference (“Agreement”), and (ii) all applicable privacy and data protection laws.

The parties understand and agree that (i) the Data Controller is the data exporter of the transferred personal data, and the (ii) related party affiliate is the Data Processor and data importer.

The parties understand and agree that the Data Controller is responsible for all government registrations required by law in the relevant jurisdiction, although the Data Processor may facilitate the required registrations or other legal responsibilities as a service to the Data Controller.

Unless otherwise stated, Annexes I, II, and III apply to all processing activities and transfer mechanisms under this Addendum, regardless of the applicable transfer mechanism or jurisdiction.

(1) For Data Controllers in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

  • Afghanistan, Albania, Algeria, Armenia, Austria, Australia, Azerbaijan, Bahrain, Barbados, Belarus, Belgium, Belize, Botswana, Bosnia and Herzegovina, British Virgin Islands, Bulgaria, Burkina Faso, Cayman Islands, Congo, Cook Islands, Croatia, Cuba, Cyprus, Czech Republic, Denmark, Ecuador, Egypt, Estonia, Eswatini, Ethiopia, Fiji, Finland, France, French Guiana, French Polynesia, French Southern Territories, Gabon, Georgia, Germany, Guernsey, Glorioso Islands, Greece, Grenada, Guyana, Haiti, Hungary, India, Iran, Iraq, Ireland, Isle of Man, Italy, Israel, Jamaica, Japan, Jersey, Jordan, Juan de Nova Island, Kazakhstan, Kenya, Kiribati, Kosovo, Kuwait, Latvia, Lebanon, Libya, Liechtenstein, Lithuania, Luxembourg, Malta, Marshall Islands, Mexico, Micronesia, Monaco, Mongolia, Montenegro, Morocco, Nauru, Nepal, Netherlands, New Caledonia, Niger, Niue, Norway, Oman, Palau, Panama, Papua New Guinea, North Macedonia, Pakistan, Palestine, Pitcairn Islands, Poland, Portugal, Republic of Ireland, Republic of Moldova, Romania, Saint Kitts and Nevis, Samoa, San Marino, Serbia, Seychelles, Slovakia, Slovenia, Solomon Islands, Somalia, South Africa, South Korea, Spain, Sri Lanka, Sudan, Sweden, Switzerland,* Syria, Tanzania, Togo, Tokelau, Tonga, Tunisia, Turkey, Tuvalu, Uganda, Ukraine, United Arab Emirates, United Kingdom,** Vanuatu, Yemen, Zambia, Zimbabwe.
  • * Although the EEA Data Processing and Transfer Addendum applies to Switzerland, Switzerland also requires additional language, which is hereby incorporated into the Addendum as supplement to, and not in replacement of, the EU SCC, Module 2, as set out below. For clarity, the EU SCC, Module 2 apply in full to Switzerland except as expressly supplemented by this additional language.
  • **Although the EEA Data Processing and Transfer Addendum applies to the United Kingdom, the United Kingdom also requires additional language, which is hereby incorporated into the Addendum as a supplement to, and not in replacement of, the EU SCC, Module 2, as set out below. For clarity, the EU SCC, Module 2 apply in full to the United Kingdom except as expressly supplemented by this additional language.
  • The following applies to the EU SCC, Module 2 as agreed by the parties referenced above:
    • Clause 7 (Docking clause) is stricken.
    • Clause 9 (Use of sub-processors) incorporates OPTION 2: GENERAL WRITTEN AUTHORISATION).
    • Clause 11 (Redress) does not incorporate the OPTION in (a).
    • Clause 13 (Supervision) incorporates language applicable to data exporters established in an EU Member State.
    • Clause 17 (Governing Law) incorporates OPTION 1. The governing law is the law of the country in which the data exporter is established.
    • Clause 18 (Choice of forum and jurisdiction) incorporates OPTION 1. The courts of the country in which the data exporter is established have jurisdiction.

ANNEX I:

A. List of Parties

Data Exporter

  1. Name: Data Controllers identified in the Agreement
  2. Address: Address of Data Controllers identified in the Agreement
  3. Contact: See the “Contact Information for Notices” specified for Data Controllers in the Agreement
  4. Activities relevant to the data transferred under the Clauses: Relevant activities are described in Section B (“Description of Transfer”) below
  5. Role: Controller

Data Importer

  1. Name: The Church of Jesus Christ of Latter-day Saints, a Utah Corporation sole FamilySearch International
  2. 50 East North Temple Street, Salt Lake City, Utah 84150
  3. Contact: Manager, Data Privacy Office - 50 East North Temple Street, Salt Lake City, Utah 84150
    1. Telephone: (801) 240-1187
    2. Email: privacy@churchofjesuschrist.org
  4. Activities relevant to the data transferred under the Clauses: Relevant activities are described in Section B (“Description of Transfer”) below
  5. Role: Processor

B. Description of Transfer

Categories of data subjects whose personal data is transferred

Data subjects found in historical and genealogical records whose personal data are being preserved for research, historical and statistical purposes.

Categories of personal data transferred

Genealogical data - Information collected to preserve people’s personal and family history:

  • Names (data subject’s name, father’s and mother’s names, children’s names, sibling’s names, spouse’s names, etc.)
  • Family relationships (names of individuals, siblings, parents, children, grandparents, aunts, uncles).
  • Biographical information (name, birth date, death date, stories and details about the individual’s life, occupation, education, location of life events, personal religious events – baptism, confirmations, etc.)
  • Birthdate, birthplace, and related details (sex of child, names of parents, address of parents at time of birth, or adopted parents depending on the type of birth record in question, date of birth, and location of birth).
  • Age
  • Gender
  • Marriage date, place, and related details (name of individual, parents, etc.)
  • Death date, death place, and related details (name of individual, manner of death)
  • Nationality
  • Personal characteristics, including photographic image
  • Other information contained in acquired genealogical and historical records, including from censuses (individual names, children, occupation, residence), family histories (biographical data, names, family relationships), parish registers (names of congregation members, residence, dates of birth, family relations), church records (birth, marriage death records, baptisms, confirmations), civil registrations (birth, marriage, and death records), newspaper obituaries (birth, land records, state archive collections), and naturalization records (citizenship records, immigration records, naturalization records including names, birth dates, country of origin, country of residence, address, family member names, occupation, some country specific items depending on the country and date of collection).

Sensitive data – Information that is incidentally included in historical and genealogical records that may be defined as sensitive or special category data under Privacy Laws:

  • Identity & Demographic Data (racial or ethnic origin, national origin, tribal origin, social status, specific identity (unique identifiers, e.g., passports, national identification number, driver’s license, state ID), marital status, age, color, citizenship or immigration status, status as a victim of crime or having suffered damage by a crime)
  • Beliefs & Associations (religious beliefs or affiliations, philosophical beliefs, moral beliefs, ideological convictions, political opinions, political persuasion, political ideologies, or political affiliation, trade union membership, guild membership, union affiliation, membership in professional or social associations, or human rights organizations)
  • Health & Genetic/Biometric Data (current or future physical or mental health condition, status, or diagnosis, medical history, medical records, medical treatment, provision of healthcare, psychological or physiological status, genetic data (inherited or acquired characteristics, human biological profile, methods of death, consumer health data), biometric data (used for unique identification, automated verification, or revealing additional sensitive characteristics), neural data (brain/neuro-related data, cognitive/emotional data)
  • Criminal & Legal Data (criminal record or history, criminal behavior or acts, commission or alleged commission of an offense, proceedings, outcomes, sentences, or penalties relating to criminal matters)
  • Location & Communication Data (geolocation data (precise or specific location, including GPS coordinates or IP address), communications data, including content and metadata of calls, texts, emails, or mail, contents of mail, email, or text messages (unless addressed to the recipient))
  • Youth Data (any personal data associated with a minor)
  • Other
    • Personal habits, family matters, lifestyle, and intimate/private life circumstances
    • Moral or ethical characteristics
    • Family life data
    • Education records
    • Employment-related data tied to protected characteristics
    • Data relating to ideology or beliefs not otherwise captured
    • Any data that may significantly threaten privacy, dignity, safety, or property if misused
    • Data with heightened risk of discrimination or harm depending on context (e.g., TV-viewing data classified as sensitive by the government)
    • Marital status (names, dates, etc.)
    • Religious Records (Information in church records including membership numbers, names, birth dates, baptism dates, marriage dates, death dates, and data related to specific religion).
    • Data pertaining to minors (names, birth dates, parents, siblings, guardianship records, adoption information, judicial records, educational records)
    • Political affiliation (name and political party, donation information)

The frequency of the transfer (e.g., whether on a one-off or continuous basis).

Ad hoc

Nature of the processing

The personal data transferred may be subject to various processing activities, when legally permitted, including digitizing, indexing, hosting, storing, transmitting, redacting, and displaying. These activities are supported by cloud-based data centers, including those in the United States, to the extent allowed by the Privacy Laws. The data exporter instructs the data importer to transfer personal data to the United States for these activities. For example, the data may be processed to support the following activities:

  • Preservation of Historical Records: Digitizing, preserving, indexing, storing, and/or archiving historical documents, photos, and artifacts for future generations, as instructed by the data exporter.
  • Genealogy: Once permitted by Privacy Laws and by the data exporter (e.g., when the data is no longer restricted), the data may be included in applications used by researchers and website users to support the tracing of lineage or family history records or other genealogy research, programs, and activities.
    • Family History Research: Collecting and preserving information about one’s ancestors and family tree.
    • Genealogy Instruction: Providing training and resources to help millions of people around the world discover their heritage and connect with family members.

Purpose(s) of the data transfer and further processing

The data transfer to the data importer (at the data importer’s global headquarters) and further processing by the data importer supports the preservation and storage of historical family records for the benefit of public archives, government bodies, indigenous peoples, private archives, other private bodies, and individuals. If permitted by Privacy Laws and by the data exporter (e.g., when the data is no longer restricted), these records may also be made publicly available on the data importer’s website for free for research purposes.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

personal data collected for historical preservation purposes will be retained according to the instructions of the data exporter for as long as requested. In many cases, so long as the records retain historical value, they may be retained indefinitely for archival purposes and to document genealogy, subject to applicable legal requirements, including any obligation to honor valid erasure requests.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing

The data importer processes personal data to preserve historical records and for genealogical research purposes, at the instruction of the data exporter. The data importer may engage a processor or sub-processor pursuant to a processing or sub-processing agreement to assist with data processing for these same purposes and to perform functions on behalf of the data exporter and/or data importer (for example, digitizing and indexing historical records). The processing or sub-processing agreement will provide additional details regarding the subject matter, nature, and duration of the processing.

C. Competent Authority

Identify the competent authority/ies in accordance with Clause 13

The supervisory authority of the country of the data exporter identified in Annex I.A.

ANNEX II:

TECHNICAL AND ORGANIZATIONAL MEASURES FOR THE DATA IMPORTER

The technical and organization measures for the data importer are located here.

ANNEX III:

LIST OF SUB-PROCESSORS

The controller has authorized the use of the sub-processors listed here.

Swiss Addendum to the EU Standard Contractual Clauses

Where a transfer of personal data from a data exporter to a data importer is subject to the EU GDPR and the FADP (as defined below), the following additional provisions shall also apply in order for the Standard Contractual Clauses to be suitable for ensuring an adequate level of protection for such transfer in accordance with Article 6 paragraph 2 letter of the FADP:

(a) “FADP” means the Federal Act on Data Protection of 19 June 1992 (SR 235.1).

(b) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

(c) “Revised FADP” means the revised version of the FADP of 25 September 2020, which came into force on 1 January 2023.

(d) The term “EU Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility for enforcing their rights before the courts of their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.

(e) The Standard Contractual Clauses also protect the data of legal entities until the entry into force of the Revised FADP.

(f) The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
(“UK IDTA”)

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (located here) is hereby incorporated by reference and the following applies:

Part 1: Tables

Table 1 is populated exactly as in EU SCC, Module 2, Annex I.

Table 2 - The following applies to the EU SCC, Module 2 as agreed to by the parties referenced above:

  • Clause 7 (Docking Clause) is stricken.
  • Clause 9 (Use of sub-processors) incorporates OPTION 2: GENERAL WRITTEN AUTHORISATION).
  • Clause 11 (Redress) does not incorporate the OPTION in (a).
  • Clause 13 (Supervision) incorporates language applicable to data exporters established in an EU Member State.
  • Clause 17 (Governing Law) incorporates OPTION 1. The governing law is the law of the country in which the data exporter is established.
  • Clause 18 (Choice of forum and jurisdiction) incorporates OPTION 1. The courts of the country in which the data exporter is established have jurisdiction.

Table 3 – is populated with the EU SCC, Module 2 Annex I, II, and III.

Table 4 – The UK IDTA may be ended by either Party (data importer or data exporter).

Part 2 – Mandatory Clauses

All mandatory Clauses apply, and the Alternative Part 2 Mandatory Clauses do not apply.

(2) For Data Controllers in Angola (“Angola”) the following applies in addition to the Angola Contractual Clauses required under in the Angola Data Protection Law (Law no. 22/11, 17 June 2011) (“Angola CCs”) (located here):
  • The following applies to the Angola CCs as agreed to by the parties referenced above:
  • Locations for processing, transferring, and storing of personal data include Ghana and the United States.
  • All other information provided above for the EU SCCs Module 2 applies to the Angola CCs to the extent they are consistent with Angola’s CCs.

(3) For Data Controllers in Nigeria (“Nigeria”) the following applies in addition to the Nigeria Contractual Clauses required under the Nigeria Data Protection Act (NDPA) 2023 (“Nigeria CCs”) as described below:

  • The following applies to the Nigeria CCs as agreed to by the Parties referenced above:
  • Locations for processing, transferring, and storing of personal data include Ghana and the United States.
  • The data importer may be identified by the Nigeria Data Protection Commission under its registration number: NDPC/DCP/02812.
  • All other information provided above for the EU SCCs Module 2 applies to the Nigeria CCs to the extent they are consistent with the Nigeria CCs.

(4) For Data Controllers in the following locations, the ASEAN Model Contractual Clauses, Module 1: Controller to Processor (“MCCs, Module 1”) (located here) apply:

  • Brunei Darussalam, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, Vietnam
  • The following applies to the MCCs, Module 1 as agreed to by the parties referenced above:
    • Clause 2 (Obligations of Data Exporter) is stricken.
    • Clause 3 (Obligations of Data Importer) optional Sub-Clauses 3.4, 3.6, 3.7, and the optional language in 3.7 is stricken. Sub-Clause 3.10 is, “…within a reasonable time period specified by Partners.”
    • Clause 4 (Choice of Law Disputes) incorporates the ASEAN Member State of the data exporter in 4.1. Operational Sub-Clause 4.3 is stricken.
    • Clause 6 (Termination of Contract) incorporates “30 days” into sub-sub-section 6.1.1.
    • Additional Terms for Individual Remedies (Individual Remedies) All individual remedies are stricken.

(6) For Data Controllers in the following locations, the Ibero-American Data Protection Network Model Transfer Agreement (“IADPN MCCs, Controllers to Processor”) (located here) applies:

  • Andorra, Argentina, Chile, Colombia, Peru, Uruguay.
  • The following applies to the IADPN MCCs, Controller to Processor as agreed by the parties referenced above:
    • ANNEX I from the EU SCC, Module 2 is incorporated by reference and populates all required information in the IADPN MCCs, Controller to Processor.
    • Clause 9 (Redress) in Sub-Clause 9(a) the optional language is stricken.
    • ANNEX E is populated with the privacy notice located here.

(7) For Data Controllers in China, the terms located here apply.

(8) For Data Controllers in Hong Kong, the following terms located here apply.

(9) For Data Controllers in Brazil, the following terms located here apply (also PDF found here).

(10) For Data Controllers in New Zealand, the following terms located here apply.

(11) For Data Controllers in Rwanda, the following terms located here apply.

(12) For Data Controllers in Qatar, the following terms located here apply.

(13) For Data Controllers in Saudi Arabia, the following terms located here apply.

Last updated: April 29, 2026

Last Updated On 29 Apr 2026